Product Guide. McAfee Web Gateway Cloud Service

Size: px

Start display at page:

Download "Product Guide. McAfee Web Gateway Cloud Service"

Sydney Davis
6 years ago
Views:

1 Product Guide McAfee Web Gateway Cloud Service

2 COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Web Gateway Cloud Service Product Guide

3 Contents 1 Product overview 5 What is McAfee WGCS? Key features How McAfee WGCS works McAfee web security technologies Account management Policy management 9 Global policy model Using the Policy Browser Viewing feature policies Viewing rules Viewing catalogs Download and install SSL certificates Working with user groups Active Directory synchronization Add a local user group Edit the local user group Working with rules and feature policies Add a rule Create a rule by importing a URL list Create a rule using exceptions Change a rule Manage the URLs Reorder the rules Delete a rule Change a feature policy Change Policy Assignment View audit logs Export the audit logs Error conditions Data errors Network connection errors Saving errors Authentication 37 Authentication and policy decisions How McAfee WGCS implements the authentication options How the authentication process works IP range authentication Enable or disable IP range authentication Configuring IP range authentication Import a list of IP address ranges Export a list of IP address ranges SAML authentication McAfee Web Gateway Cloud Service Product Guide 3

4 Contents Benefits of SAML authentication SAML authentication high-level steps SAML configuration overview Considerations when configuring SAML authentication Configuring SAML in the management console SAML authentication settings IPsec site-to-site authentication Configuring IPsec site-to-site authentication Considerations when configuring IPsec site-to-site Enable or disable IPsec site-to-site authentication Add an IPsec location Delete an IPsec location Edit the IPsec site-to-site settings IPsec site-to-site settings Adding SAML authentication to IPsec site-to-site Index 53 4 McAfee Web Gateway Cloud Service Product Guide

5 1 Product overview McAfee Web Gateway Cloud Service (McAfee WGCS) is a globally available, enterprise cloud service that provides comprehensive web protection through in-depth content scanning and integration with other McAfee web security technologies. Contents What is McAfee WGCS? Key features How McAfee WGCS works McAfee web security technologies Account management What is McAfee WGCS? The web protection service protects your organization from security threats that arise when end users access the web. The service scans and filters web traffic between end users in your organization and the cloud. It blocks traffic that is not allowed by the web protection policy you configure. It protects users working inside or outside your network. For example, the service protects users who are working in a coffee shop or hotel. Using the web protection service, you can prevent sophisticated threats, implement your organization's Internet use policy, and promote productivity. For example, you can control access to file upload websites. Through hundreds of web content, application, and media type categories, you have fine-grained control over web use inside and outside the network. As a service running on a cloud platform, McAfee WGCS is managed 24/7 by a team of McAfee security experts. You purchase a subscription to the service, and there is no hardware or software to install. The cloud services platform consists of globally distributed nodes called points of presence (PoP). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence. The web protection service is managed and configured using the McAfee epolicy Orchestrator Cloud (McAfee epo Cloud) platform and console. McAfee WGCS can be deployed with or without McAfee Client Proxy. Client Proxy software is installed on the computers of end users in your organization. The software is location-aware and redirects end-user requests to the cloud service when users are working outside the network. Client Proxy is managed and configured using the McAfee epolicy Orchestrator (McAfee epo ) or McAfee epo Cloud platform and console. McAfee WGCS can be integrated with Client Proxy when the software is managed using either platform. End-user computers are referred to as client or endpoint computers. Endpoint computers are sometimes called the endpoint. McAfee Web Gateway Cloud Service Product Guide 5

6 1 Product overview Key features Key features McAfee WGCS provides these key security features. URL filtering using whitelists, blacklists, and reputation categories based on risk levels determined by McAfee Global Threat Intelligence (McAfee GTI) SSL scanning, including full decryption and content inspection Web filtering: Web content filtering using the Web Category Filter Web application filtering using Access Protection Media type filtering using the Media Type Filter Anti-Malware filtering that blocks malware in-line and includes traditional anti-virus and behavior emulation technology SAML, IP range, and IPsec site-to-site authentication of end users requesting cloud access Web protection reporting: productivity, web activity, web policy enforcement, and web security overview How McAfee WGCS works The web protection service protects your organization from malware, spyware, viruses, phishing URLs, targeted attacks, and blended threats through an in-depth detection process. The threat detection process consists of these high-level steps. 1 Using signature-based anti-virus technology with URL category and reputation data from McAfee GTI, McAfee WGCS filters known threats from web traffic, while allowing known good traffic to pass. This step of the process detects about 80% of web-based threats. 2 The remaining web traffic is not known to be good or bad. Suspicious unknown traffic is then inspected by the Gateway Anti-Malware Engine. Using emulation technology, dynamic web content and active code are observed in a controlled environment to understand intent and predict behavior. This step of the process detects almost 100% of the remaining web-based threats. Known as zero-day malware, these threats are new or changed malware files that do not yet have signatures. McAfee web security technologies McAfee WGCS uses information and intelligence provided by proven McAfee web security components and technologies. These components and technologies dynamically update the web protection service as web security information and intelligence change. The components and technologies are fully integrated with the service. Minimal configuration is required in the user interface. Web security components and technologies include: 6 McAfee Web Gateway Cloud Service Product Guide

7 Product overview Account management 1 McAfee GTI Evaluates website reputation based on past behavior and assigns websites to categories of high, medium, low, and unverified risk. McAfee GTI collects, analyzes, and distributes data in real time from more than 100 million sensors in more than 120 countries. Filters Simplify policy rules by assigning similar websites, web applications, and file types to groups. Web Category Filter Assigns websites to categories based on content. Using this filter, you allow or block access to specified content, such as blocking access to gambling sites. Access Protection Assigns web applications to categories by type. Using this filter, you allow or block access to web applications individually or by category. For example, you can block file uploads to file-sharing applications in the cloud. Media Type Filter Categorizes files by document type or audio or video format. Using this filter, you allow or block access to specified media types, such as blocking access to streaming media. Gateway Anti-Malware Engine Filters web traffic, detecting and blocking zero-day malware in-line using emulation technology before end-user devices are infected. Account management In the management console, you can synchronize an on-premise Active Directory with McAfee epo Cloud. You can also apply your web protection policy to local user groups that you create and name. Active Directory synchronization You can create, populate, and maintain your organization's on-premise Active Directory accounts in the McAfee epo Cloud System Tree. For more information, see the McAfee epolicy Orchestrator Cloud Product Guide. Local user group feature You can manually create and name local user groups and then add them to policy rule actions. This feature is part of the Policy Web, Cloud Data Policy interface. McAfee Web Gateway Cloud Service Product Guide 7

8 1 Product overview Account management 8 McAfee Web Gateway Cloud Service Product Guide

9 2 2 Policy management In the McAfee epo Cloud management console, you manage the web security policy that determines how McAfee WGCS filters web traffic and allows or blocks access to web content, applications, and objects. Contents Global policy model Using the Policy Browser Download and install SSL certificates Working with user groups Working with rules and feature policies View audit logs Error conditions Global policy model The McAfee WGCS policy model is based on one set of policies that is applied globally across your organization. You configure one set of policies that apply globally to all users and groups in your organization. To customize the application of the policy set to specific users or groups, you then configure exceptions to the rules that make up the policies in the set. McAfee Web Gateway Cloud Service Product Guide 9

2 Policy management Using the Policy Browser Using the Policy Browser The Policy Browser user interface for managing your policies is designed around the concept of providing information contextually.

10 2 Policy management Using the Policy Browser Using the Policy Browser The Policy Browser user interface for managing your policies is designed around the concept of providing information contextually. The type of information presented to you varies depending on your installed options, the current area of the user interface, and the choices that you have made. The user interface for managing your policies is organized to provide protection around key feature areas relevant to the McAfee products and services you use. Figure 2-1 Default policy browser (all features shown collapsed for clarity) These key feature areas are: Global Settings, where you maintain the Global URL Whitelist and Global Blacklist that applies to all users and policies. SSL Scanner, where you configure your SSL scanning settings. Web Reputation, where you maintain the settings relating to actions taken when websites with different reputation levels are encountered. Web Category Filter, where you configure the category-based scanning settings, protecting your users from inappropriate website categories. Access Protection, where you configure the web-based applications that your users can use. Media Type Filter, where you configure the types of file formats that can your users can access. Anti Malware Filter, where you configure settings relating to filtering for malware. Viewing feature policies In each key feature area on the user interface, is one or more feature policies relating to that area. Feature policies can be used to provide varying degrees of restriction on the key feature areas to which they relate. Each policy has its own set of rules and exceptions. For example, a restrictive feature policy most likely has rules and exceptions to block access to most locations for most users. A lenient policy has rules configured to allow access to most locations for most users. 10 McAfee Web Gateway Cloud Service Product Guide

11 Policy management Using the Policy Browser 2 By default, your product includes several policies for each feature area. These policies are configured with commonly used settings for different industry, educational, and government sectors. For example, some organizations prefer less restrictive settings, so that their employees, or students, can make the best business or educational use of the Internet. A Defense Department must be much more restrictive on the policies for Internet use. For most situations, it is useful to maintain two policies for each feature: one that you use in normal day-to-day situations, and another, more restrictive policy for when investigating a security concern. To view the available feature policies for each feature area, select each policy by clicking the policies drop-down list arrow. After the feature policy drop-down list has been expanded for the selected feature area, all feature policies relating to that area are displayed. In each policy, you can configure any number of rules. Policy Details Clicking a feature policy name for example, Limited, or Permissive displays the Policy Details pane toward the right of the user interface. Figure 2-2 Typical Policy Details pane for McAfee Web Gateway Cloud Service policies From the Policy Details pane, you can see the name of the feature policy, and can view and edit the block pages used by the feature policy. Also, you can copy the block page and use it to create another block page. You can view the details for any policy, whether it is enabled or disabled. If you view a policy that is not enabled, the disabled policy assignment icon is displayed, indicating it is not currently in use. You can also view feature policy-specific information: Table 2-1 Feature policy-specific information Feature Policy SSL Scanner Web Category Filter Additional information Download SSL certificate bundle link Block Uncategorized Sites checkbox Selecting Block Uncategorized Sites results in any sites that are uncategorized being blocked, even if those sites are listed in the URL Whitelist contained in subsequent areas. Enforce Secure Search checkbox McAfee Web Gateway Cloud Service Product Guide 11

12 2 Policy management Using the Policy Browser If you navigate to a different feature policy, the Policy Details pane remains open, but does not update until you click the new feature policy name. If you add or select a rule while the Policy Details pane is open, the Policy Details pane closes and the Rule Details pane replaces it. Viewing rules Each feature policy contains a set of rules. Rules run in a top-down order, with each rule being configured to take the selected action when the rule matches. Figure 2-3 Example feature policy rules Each feature policy has specific types of rules that they can contain. Table 2-2 Rule types Feature Global Settings SSL Scanner Web Reputation Web Category Filter Access Protection Allowable rules Global URL Whitelist a list of URLs that are considered 'safe' and which are evaluated before any other rules. Web requests to a URL contained within the Global URL Whitelist are allowed, and all further rules are skipped. Global Blacklist URL Whitelist a list of URLs that are applied to the SSL Scanner feature. SSL Web Category SSL Web Application all other SSL tunnels (catch-all rule) URL Whitelist a list of URLs that are applied to the SSL Scanner feature. Web Reputation URL Whitelist a list of URLs that are applied to the Web Category Filter feature. Web Category all other sites (catch-all rule) Web Application URL Whitelist a list of URLs that are applied to the Access Protection feature. all other web applications (catch-all rule) 12 McAfee Web Gateway Cloud Service Product Guide

13 Policy management Using the Policy Browser 2 Table 2-2 Rule types (continued) Feature Media Type Filter Anti-Malware Filter Allowable rules URL Whitelist a list of URLs that are applied to the Media Type Filter feature. Media Type all other media (catch-all rule) URL Whitelist a list of URLs that are applied to the Anti-Malware Filter feature. Anti-Malware Rule Details Clicking a rule displays the Rule Details pane toward the right of the user interface. From this pane, you can see the name of the rule, and whether it is enabled or disabled. You can also see the configured primary action, together with any exceptions that are configured. The top area of the Rule Details pane shows the primary object that is, the object or list about which the rule applies and its status. The Rule Details menu contains: Table 2-3 Rule details menu Menu item Enable Rule Disable Rule Add Action Close Description Enable the currently selected rule so that it is used to evaluate your users web requests. To prevent a rule being used to evaluate your users web requests, select Disable Rule. Where applicable for the selected feature and rule, add additional actions to the rule. Close the Rule Details card. The primary object changes depending on context as you select different types of rules, only relevant primary objects are displayed. The currently selected primary action is displayed. Table 2-4 Available primary actions for different types of rules Rule type Available primary actions Notes Application rules Allow, Block Anti-Malware rules Allow, Block, Submit Files, Bypass You cannot create Anti-Malware rules. The Submit Files and Bypass actions are only available when the Cloud Threat Detection service has been purchased. Global URL Blacklist Block You cannot create Blacklist rules; the only blacklist exists in the Global Settings feature. Catch-all rules Global URL Whitelist Media-Type rules Allow, Block Always Allow Allow, Block Web Reputation rules Allow, Block You cannot edit the Web Reputation primary object. You cannot create Web Reputation rules. SSL Scanner rules Inspect, Do not inspect McAfee Web Gateway Cloud Service Product Guide 13

14 2 Policy management Using the Policy Browser Table 2-4 Available primary actions for different types of rules (continued) Rule type Available primary actions Notes Web Category rules URL Whitelist rules Allow, Block Allow In each primary action, any configured exception objects where permitted are shown. Table 2-5 Descriptions of the actions Action Allow/Block Always Allow Inspect/Do no inspect Description An Allow action causes the web request to bypass the current feature, and progress to the next feature in the top-down list. The Block action stops all further processing and blocks the request. Applicable to the Global URL Whitelist only, Always Allow allows the web request through, and stops all further processing by the remaining features. The Inspect action causes the SSL information to be decrypted before being passed to the next feature in the list. Do not inspect stops the SSL information being decrypted, effectively stopping all further processing by the remaining features. Submit Files/Bypass (only available for Cloud Threat Detection service) The Submit Files action causes the files to be forwarded to the Cloud Threat Detection service for further analysis. The Bypass action prevents the file being sent to the Cloud Threat Detection service. Importance of the rule order When an Always Allow action is triggered, all subsequent rules are skipped and are not evaluated in relation to the current request. For Allow actions, all remaining rules in the current feature policy are skipped, and processing continues in the next feature policy. For both Allow or Always Allow actions, the triggering item is allowed. Consider the order in which you sort your rules for each feature policy. Place the most stringent rules at the top of rule list, progressing down to the final catch-all rule at the bottom of the list. Importance of the action order The action placed at the bottom of the Rule Details pane is considered the primary action, and acts as the catch-all action. For example, if the bottom-most action is Block, then any traffic that does not match the actions above it is blocked. Object details The object details pane provides a method of viewing relevant items in your rules. The information displayed in the object details pane changes as you move through the workflow for your tasks. This changing information ensures that you are always presented with options relating to your current workflow. For example, when the Web Reputation rule is selected, you can enable or disable the rule, and you can add exceptions. You cannot edit the description for the Web Reputation rule. When permitted by the current stage in your workflow, you can edit the items that appear in the selected object. Some areas of the user interface can contain large quantities of selectable entries. These areas include a search field to allow you to more easily find the items that you are looking for. 14 McAfee Web Gateway Cloud Service Product Guide

Policy management Using the Policy Browser 2 Catch-all rules Catch-all rules provide you with a method of configuring feature policies such that an action can be taken if no other rules are triggered.

15 Policy management Using the Policy Browser 2 Catch-all rules Catch-all rules provide you with a method of configuring feature policies such that an action can be taken if no other rules are triggered. Catch-all rules are included within the SSL Scanner, Web Category Filter, Access Protection, and Media Type Filter policies. Catch-all rules appear at the bottom of the list of rules for the relevant feature policies, and cannot be deleted or reordered. This type of rule can be disabled. Viewing catalogs Catalogs hold groups of related data, for example, block pages, lists of web categories, lists of web application types, and lists of media types. The Catalog pane is displayed on the right side of the screen. Figure 2-4 Catalog pane The content of the catalog pane varies depending on the selected feature area and rules. McAfee Web Gateway Cloud Service Product Guide 15

16 2 Policy management Download and install SSL certificates Download and install SSL certificates Installing SSL certificates enables McAfee WGCS to scan your SSL traffic. Certificates must be installed on each device used to communicate with McAfee WGCS. Detailed information about installing the SSL certificates on different browsers and operating systems is included in the certificate bundle. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, select SSL Scanner. 3 Click the policy name - for example, No SSL Inspection, or Basic Coverage, to the right of the SSL Scanner area. The Policy Details pane is displayed on the right of the screen. 4 Click Download SSL certificate bundle. When prompted, save the.zip file locally. 5 Extract the files from the.zip file. 6 Follow the instructions for your browsers and operating systems contained in the Importing_Certificates_into_Browsers.pdf document (included in the certificate bundle.zip file). Working with user groups Configure local user groups or use Active Directory Services to connect to your Active Directory so that you can apply policies to different groups of users. s Active Directory synchronization on page 16 By integrating the user groups from your Active Directory into the web protection policies, you can create policies that are applied to specific groups of users. Add a local user group on page 16 You can add local user groups to your feature policies to customize the protection for your users. Edit the local user group on page 17 As an administrator, a common task is to edit the local user group details. Active Directory synchronization By integrating the user groups from your Active Directory into the web protection policies, you can create policies that are applied to specific groups of users. See the Active Directory synchronization chapter in the McAfee epolicy Orchestrator Cloud Product Guide for detailed information about synchronizing your local AD. Add a local user group You can add local user groups to your feature policies to customize the protection for your users. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to which you want the local user group added. 16 McAfee Web Gateway Cloud Service Product Guide

17 Policy management Working with rules and feature policies 2 4 In the Rule Details pane, select edit for the action to which you want to add the new user group. You cannot add a user group to the current primary action. 5 Click the menu icon button from the user groups pane. 6 Click New User Group. 7 (Optional) Type a name for the user group. 8 Click Save to update the rule. Edit the local user group As an administrator, a common task is to edit the local user group details. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 Select the local user group to be edited. 4 Click the menu icon button from the group details pane. 5 Click Edit. 6 Type the new name for the user group. 7 Click Save to update the local user group. Working with rules and feature policies Use the following tasks when creating or changing rules and feature policies. McAfee Web Gateway Cloud Service Product Guide 17

18 2 Policy management Working with rules and feature policies s Add a rule on page 18 You can add rules to your feature policies to customize the protection for your users. Create a rule by importing a URL list on page 19 You can create a URL list rule by importing a.csv file with the URLs into a URL list. You then add this URL list to the new rule. Create a rule using exceptions on page 20 Create a complex rule using exceptions to specify user groups and connected applications. Change a rule on page 21 There are a number of ways you can change rules to meet your protection requirements. Manage the URLs on page 26 By adding a URL, the website that your users can access can be controlled. The added URLs are maintained in the URL list and it can be edited when needed. Also, the URLs can be exported to backup the information. Reorder the rules on page 29 Move the rules to change the order in which they are applied. The order in which rules are applied depends on the order that they appear in your policy rules are applied from the top down. Delete a rule on page 29 Deleting unwanted rules enables you to more easily organize and understand your feature policies. Change a feature policy on page 30 You can change feature policies to meet your protection requirements. Change Policy Assignment on page 34 Each feature can have only one active feature policy applied to it at a time. Use this task to change the feature policy assigned to a feature. Add a rule You can add rules to your feature policies to customize the protection for your users. Where the new rule is placed depends on the options you choose, and what you currently have selected: If you have an existing rule selected, the new rule is placed immediately above the selected rule. If you do not have a rule selected, the new rule is placed at the bottom of the selected key protection area. If a catch-all rule exists, the new rule is placed above the catch-all rule. If you choose to add a whitelist, it is placed below the last whitelist rule in the browser. You cannot add a rule if you are currently in edit mode, for example, if you are editing the rule details of another rule. Some rule types for example, Anti-Malware rules and Web Reputation rules are created by default, and you cannot add more rules of these types. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, click the Action menu icon of the feature policy, then select New Rule. 3 In the Catalog pane, select your required catalog type from the drop-down list. The relevant catalogs are displayed. 18 McAfee Web Gateway Cloud Service Product Guide

19 Policy management Working with rules and feature policies 2 4 Click the Add button next to the catalog to use. Best practice: Use the Search field to filter the items available for selection. To empty the Search field, click the remove icon. 5 Click Save. 6 Select the required actions. 7 Click Save. Create a rule by importing a URL list You can create a URL list rule by importing a.csv file with the URLs into a URL list. You then add this URL list to the new rule. Before you begin Ensure that you have an existing comma-separated values file with the list of the URLs to be imported. The file can optionally include a header row. The list must contain comma-separated values. Each line contains one URL, followed by the ',' separator and then either 'true' or 'false'. Adding 'true' indicates that the URL has the 'All subdomains' parameter selected, whereas 'false' deselects 'All subdomains'. The URL and the true/false value are case insensitive. There must not be any spaces in or at the end of each line. As an example, the entries in the file can look like: example.org,true If any row in the URL list does not comply with the required format, an error is displayed and the file import fails. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, click the menu icon of the feature policy that relates to the rule to be added. 3 Select New URL Whitelist Rule. 4 In the URL List Catalog, click the Catalog menu icon and select Import New URL List. 5 In the Import List dialog box, browse to the previously created list of URLs. If the.csv file includes a first row with header information, make sure that you select This file contains a header row. 6 Click Import. The content of the file is used to create a URL list rule. If duplicate URLs are contained in the.csv file, the import is paused and you are notified of the duplicate entries. You can then choose to continue with the import or end without importing the URL list. McAfee Web Gateway Cloud Service Product Guide 19

20 2 Policy management Working with rules and feature policies 7 After the URLs listed in the file have been imported, accept the default URL list name, or type a new name for the URL list. By default, the new list takes the name of the.csv file used to import the URL list. 8 Click Save. 9 To add the list to the new rule, click the add icon to the right of the newly added URL list. 10 Accept the default rule name, or type a new name. By default, the new rule takes the name of the selected URL list. 11 Click Save. Create a rule using exceptions Create a complex rule using exceptions to specify user groups and connected applications. This task creates the rule discussed in the example given in the topic Using exceptions: Assume that you are creating a rule to ensure compliance with US PII legislation. In this rule, you want to monitor the cloud interactions that are matched to the US PII classification for your executives. But, you want to enforce the use of encryption for your allowed users when they move files that contain Personally identifiable information to specific connectable cloud applications. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Create a new rule. a From the Policy Browser, click the menu icon of the feature policy or rule in Cloud Data Protection. b Select New Rule. 3 Assign the required rule type. a From the Catalog, select Classifications from the drop-down list. The catalogs of available classifications are displayed. b From the catalog, click the add button to the right of the US PII entry. In the Rule Details pane, you see that rule name is now US PII. 4 Assign the required user groups. a In the Rule Details pane, click the edit icon located next to the Monitor option. In the Catalog pane, the list of User Groups is displayed. b Click the add button to the right of Executives. The Monitor action is now tied to the Executives user group. c In the Rule Details pane, click the menu icon and select Add Action. The Apply Encryption option is selected by default and the rule is now editable. 20 McAfee Web Gateway Cloud Service Product Guide

21 Policy management Working with rules and feature policies 2 d From the Catalog pane, select Allowed User Groups by clicking the The Apply Encryption action is now tied to Allowed User Groups. add button. 5 Assign the required cloud connectors. a In the Catalog pane, select Applications (Advanced Protection) from the drop-down menu. In the Catalog pane, the list of Provisioned Applications and Non-Provisioned Applications are displayed. The provisioned applications are cloud applications with a connector that are purchased and can be configured. The non-provisioned applications are cloud applications with a connector which are not purchased, and they are indicated with icon. b Click the add button to the right of the Provisioned Applications application. The Apply Encryption action is now tied to the application and is applicable to Allowed User Groups. 6 In the Rule Details pane, click Save. Change a rule There are a number of ways you can change rules to meet your protection requirements. s Enable or disable a rule on page 22 Not all rules in a feature policy need be active at any given time. You can enable or disable rules to suit your requirements. Change the Rule Details on page 22 In the Rule Details pane, you can add or remove user group exceptions, or edit the primary objects in the currently selected rule. Add an action to a rule on page 23 Add additional actions to rules. Change the primary action on page 23 The primary action for a rule can be considered as the catch-all action. In the Rule Details pane, the primary action is displayed at the bottom of the pane. Change an action on page 23 When multiple actions are available for a rule, you can change the selected action. Remove an action from a rule on page 24 Remove actions from rules. Create a list on page 24 You can create lists and add them to Web Category, Media Type, Site lists, and Application rules. Use a pick list to populate a list on page 25 To quickly add items to a list, select them from prepopulated pick lists. McAfee Web Gateway Cloud Service Product Guide 21

22 2 Policy management Working with rules and feature policies Enable or disable a rule Not all rules in a feature policy need be active at any given time. You can enable or disable rules to suit your requirements. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, click the menu icon and select the required state (Enable rule or Disable rule) from the available options. If you are trying to disable a catch-all rule, another confirmation dialog is presented. Click OK to proceed. 5 Click Save to proceed with the change. Change the Rule Details In the Rule Details pane, you can add or remove user group exceptions, or edit the primary objects in the currently selected rule. Some rule types have limitations on what can be edited. For example, with Anti-Malware rules you cannot switch between the actions or delete the rule. You can enable or disable an Anti-Malware rule, and you can add exceptions groups to the Block action. You can create exceptions for most rule types. For example, you can have a rule that allows your employees to access the Internet. You can then define an exception in this rule that prevents guest users and contractors from this access. The following workflow shows how to change the rule details for the Allow action. Changing the Block action uses a similar workflow. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, make sure that the Allow action is selected. You cannot edit the active action in Rule Details. For example, if the Allow action is active, and you want to edit the Allow details, first make the Block action active. Move Block to the bottom position in the actions list. Then, make your required changes to the Allow action. 5 Click the edit icon located next to Allow. 6 In the Group Catalog, do one or more of the following: To add a group to the selected rule: In the Group Catalog, click the add icon to the right of the user group to be added to the Allow action. If a user group is already assigned to the action, the add icon is not displayed, as you cannot add an object twice to the same action. The selected user group is shown as grayed out in the catalog, and is added to the Allow action. 22 McAfee Web Gateway Cloud Service Product Guide

23 Policy management Working with rules and feature policies 2 To remove a group from the selected rule: From the existing groups in Rule Details, click the remove icon for the group to be removed. 7 Click Save. The selected user group is removed from the Allow action. Add an action to a rule Add additional actions to rules. Depending on your selected feature area and rule, additional actions can be added. If no additional actions are available for your selected feature and rule, the Add Action option is grayed-out in the menu. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, click the menu icon and select Add Action. The new action is added to the rule as the secondary action. 5 Click Save. Change the primary action The primary action for a rule can be considered as the catch-all action. In the Rule Details pane, the primary action is displayed at the bottom of the pane. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, click the edit icon next to the action to be made the primary action. The action to be changed shows the drop down. 5 Click the drop down icon. 6 Click Move Down until the selected action is the bottom-most action. 7 Click Save. The selected action is now the primary action. Change an action When multiple actions are available for a rule, you can change the selected action. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. McAfee Web Gateway Cloud Service Product Guide 23

24 2 Policy management Working with rules and feature policies 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, click the edit icon next to the action to be changed. The action to be changed shows the drop down. 5 Click the drop down icon. 6 Select the required action. 7 Click Save. The selected action is now used by the feature. Remove an action from a rule Remove actions from rules. You can remove unwanted actions from your rules. You cannot remove all actions from a rule. Also, you cannot remove the currently selected primary action. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 In the Rule Details pane, ensure that the action to be removed is not the primary action. 5 Click the edit icon next to the action to be removed. 6 Click the drop-down icon and select Remove Action. 7 Click Save. Create a list You can create lists and add them to Web Category, Media Type, Site lists, and Application rules. Two methods exist for creating a list: Create a list using the new option. Select an existing list, and create a copy. This task shows the process to create a list, and the options to create a list by copying an existing list. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the Policy Browser, select the feature. 3 In the feature area, select the required feature policy and rule. 4 In the Catalog pane, select the catalog type and do one of the following steps: a Click the menu icon, and select the New List. A new list is created, and you can rename the list if needed. 24 McAfee Web Gateway Cloud Service Product Guide

25 Policy management Working with rules and feature policies 2 b Select the list to be copied, and click Copy List in the menu icon. The selected list is copied, and you can rename the list if needed. The names New List and Copy List are changed according to the selected catalog type. For user group catalog type, the copy option is available only for the local user group. 5 From the pick list, add the required items to the new list. Click icon to add the item. If you are removing an item from the new list, click icon next to the item. If you are creating a list for URL lists, no pick lists are available. Instead, type the required URLs, or copy and paste a list of URLs into the URL field. 6 Click Save to add the new list to your configuration. Use a pick list to populate a list To quickly add items to a list, select them from prepopulated pick lists. Pick lists are used to select items in the catalogs for the following feature areas: Web Category Filter Access Protection Media Type Filter Any items already included in the selected list are shown as unavailable in the pick list. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 Click the pick list icon. 5 Select the list to which items are being added. Depending on the list selected, the relevant pick lists are displayed. 6 Click the add icon to the right of the item to be added to the selected list. Best practice: Use the Search field to filter the items available for selection. To empty the Search field, click the remove icon. The item is added to the list. 7 Click Save to add the selected items to the list. McAfee Web Gateway Cloud Service Product Guide 25

26 2 Policy management Working with rules and feature policies Manage the URLs By adding a URL, the website that your users can access can be controlled. The added URLs are maintained in the URL list and it can be edited when needed. Also, the URLs can be exported to backup the information. Formatting domain names for URL lists The supported domain name formats are: host.domain.tld/path host.domain.tld domain.tld/path domain.tld host Specifies the DNS name of the host domain Specifies the name of the subdomain tld Specifies the top-level domain path Specifies the path to the web resource The path and any sub paths are automatically included, which is the same as placing an asterisk after the path in the domain name: host.domain.tld/path* domain.tld/path* But because the sub paths are always included, there is no need to add the asterisk. All subdomains setting This setting determines whether policy rules are applied to the domain and all subdomains or to the domain only. You can specify all subdomains, as follows: In the Policy Browser Select the All subdomains checkbox when adding a URL to a URL list. In a.csv file specifying a URL list Set the value in the Subdomain(True/False) column to True. Specifying all subdomains has the same effect as adding "*." at the beginning of each domain name: *.host.domain.tld/path *.host.domain.tld 26 McAfee Web Gateway Cloud Service Product Guide

27 Policy management Working with rules and feature policies 2 *.domain.tld/path *.domain.tld Add a URL to a URL list As an administrator, a common task is to add a URL to a URL list. These lists enable you to control the websites that your users can access. URL lists provide lists of websites that can be added to policies. Whitelists and blacklists are similar to other URL lists, except that: The Global URL Whitelist only has the Always Allow action. Feature-specific whitelists only have the Allow action. Blacklists only have the Block action. You cannot configure exceptions for blacklists or whitelists. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy, rule, and URL list to change. 4 In the URL list details pane, click the URL catalog icon and select Edit from the pop-up menu. The add URL pane appears beneath the URL list details pane. 5 Click in the add URL pane, and type the URL to be added to the URL list. You can also copy and paste a URL, or a list of URLs, into this field. The URL is checked as you enter it in the add URL pane, to prevent duplicate entries being added. 6 (Optional) Select All subdomains. Selecting All subdomains adds all sites found in the entered URL to the URL list. For example, entering google.com and selecting All subdomains matches maps.google.com, news.google.com, and mail.google.com. 7 Click Add to include the new URL with those shown in the URL list details pane. Until you click either Add or Clear, you cannot make further changes to the URL list. 8 Click Save to update the rule. Edit a URL in a URL list As an administrator, a common task is to maintain the URLs contained in URL lists. These lists enable you to control the websites that your users can access. URL lists provide lists of websites that can be added to policies. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 In the feature area, select the feature policy and rule to change. 4 From the URL list detail pane, select the URL to be edited. McAfee Web Gateway Cloud Service Product Guide 27

28 2 Policy management Working with rules and feature policies 5 Click the URL catalog icon and select Edit. The selected URL is shown in the edit URL pane beneath the URL list details pane. 6 Make your required changes to the selected URL. 7 Click Done to include the edited URL with those shown in the URL list details pane. To add a URL, rather than edit the selected URL, click the add icon. 8 Click Save to update the rule. Export a list of URLs Exporting lists of URLs is a useful way of backing up information. You can then import the exported information to other rules, or to import the information to other systems. The exported URLs are saved in CSV format. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Select the rule that contains the list of URLs to be exported to a CSV file. 3 In the Rule Details pane, click the URL catalog icon from the object details pane and select Export. 4 Follow the workflow for the browser you are using to save the file. The list of URLs are saved into a file named after the sitelist object. For example, exporting the list of URLs from a sitelist named Blocked URLs creates a list named Blocked URLs.csv. The file contains a header row, with the following column names: URL Subdomain (True/False) It also contains a row for each URL in the list. Import a list of URLs Importing lists is a convenient way of adding URLs to your system. The URL list to be imported must be in CSV format. Before you begin Ensure that you have an existing comma-separated values file with the list of the URLs to be imported. The file can optionally include a header row. The list must contain comma-separated values. Each line contains one URL, followed by the ',' separator and then either 'true' or 'false'. Adding 'true' indicates that the URL has the 'All subdomains' parameter selected, whereas 'false' deselects 'All subdomains'. The URL and the true/false value are case insensitive. There must not be any spaces in or at the end of each line. As an example, the entries in the file can look like: example.org,true If any row in the URL list does not comply with the required format, an error is displayed and the file import fails. 28 McAfee Web Gateway Cloud Service Product Guide

29 Policy management Working with rules and feature policies 2 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Select the rule into which you want to import the URLs. 3 In the Rule Details pane, click the URL catalog icon from the object details pane and select Import. 4 Browse to the.csv file with the URLs to be imported. If the.csv file includes a first row with header information, make sure that you select This file contains a header row. 5 Click Import. A status message is displayed. If duplicate URLs are contained in the.csv file, the import is paused and you are notified of the duplicate entries. You can then choose to continue with the import or to end without importing the URL list. 6 To overwrite any existing URLs with the imported values, click Replace. 7 Click Save. Reorder the rules Move the rules to change the order in which they are applied. The order in which rules are applied depends on the order that they appear in your policy rules are applied from the top down. You cannot reorder a catch-all rule, as this type of rule has to appear at the bottom of the list. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 Select the rule to be moved. 4 Click the feature menu icon. You cannot reorder rules when the rule is in edit mode. If the rule is being edited, save or cancel your changes before you reorder the rules. 5 Click Reorder Rule. The move up and move down icons are displayed to the right of the selected rule. 6 Click either the move up or move down icons until the selected rule is in the required position. 7 When the rule is in the required position in the list of rules, click Save to keep the new rule order. Delete a rule Deleting unwanted rules enables you to more easily organize and understand your feature policies. You cannot delete: McAfee Web Gateway Cloud Service Product Guide 29

30 2 Policy management Working with rules and feature policies 'catch-all' rules Web Reputation rules Anti-Malware rules 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 In the Policy Browser, select the feature to change. 3 Select the rule to be deleted. 4 Click the Action menu icon and select Delete Rule. 5 Click Delete to confirm the deletion. The rule is permanently deleted from the policy. Change a feature policy You can change feature policies to meet your protection requirements. s Edit the Policy Details on page 30 From the Policy Details pane, you can edit the policy name. Create a block page on page 31 Block pages are displayed when your users are prevented from accessing a particular URL, document, or other web request. You can create different block pages for individual feature policies. Edit a block page on page 32 Block pages are displayed to the users when their web request is blocked. You can edit the content of the block pages to be relevant to the needs of your organization. Select a different block page on page 33 Block pages provide information to your users about web requests blocked by your configured rules and policies. Select suitable block pages for each feature policy. Edit the Policy Details From the Policy Details pane, you can edit the policy name. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the policies drop-down list in the feature header of the policy browser, select the feature policy to be changed. 3 Click the feature policy name, for example Limited, or Permissive. The Policy Details pane is displayed. 4 In the Policy Details pane, click in the text box and change the name of the feature policy. For some feature types for example, SSL Scanner, Web Category Filter, you can also enable options specific to that feature. 5 Click Save to keep your changes. 30 McAfee Web Gateway Cloud Service Product Guide

31 Policy management Working with rules and feature policies 2 Create a block page Block pages are displayed when your users are prevented from accessing a particular URL, document, or other web request. You can create different block pages for individual feature policies. Before you begin Make sure that you have selected the policy that is to have a new block page created. Two methods exist for creating a block page: Create a block page using the New Block Page option. Select an existing block page and create a copy. This task shows the process to create a block page, and documents the options to create a block page by copying an existing page. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 From the policies drop-down list in the feature header of the policy browser, select the feature policy to be changed. 3 Click the feature policy name, for example Limited, or Permissive. The Policy Details pane is displayed. 4 Click the block page edit icon in the Policy Details pane. The Block Page Catalog is displayed. 5 Click the menu icon beside the currently selected block page and select New Block Page from the pop-up menu. To create a copy of an existing block page, first select the block page to be copied, click add block page, then select Copy Block Page from the pop-up menu. Depending on your selection, the New Block Page or the Copy Block Page dialog box is shown. To view the block page editor at the full size of your browser window, click the maximize/minimize icon. 6 If needed, specify or change the name for the block page. McAfee Web Gateway Cloud Service Product Guide 31

32 2 Policy management Working with rules and feature policies 7 Using the provided tools, create the block page. You can edit the name of the block page, and change the content and formatting of the message. Use tokens in the block page to reflect information about the web requests that trigger the blocking action and the block message. Table 2-6 Available tokens for use in block pages Token {URL} {REASON} {IP} {RULE} {URL_CATEGORIES} {URL_REPUTATION} {MEDIA_TYPE} Description The requested URL. A combination of the reason for the block action and the specifics of the reason. The IP address of the client system. The name of the current rule. A list of categories that the requested URL matches. The reputation score for the requested URL. The Media Type classification for the requested file. {MALWARE_PROBABILITY} The probability that the file is malicious. {MALWARE} {APPLICATION} {USERNAME} {PROXYNAME} Information about the detected malware The name of the web application. Information about the user that made the web request. Details of the proxy used (if applicable). Each block page has a maximum content limit of 1 MB. 8 Click Save. You can save empty block pages. 9 To use the newly created block page for the selected policy, click the add block page icon to the right of the block page. 10 Click Save. Edit a block page Block pages are displayed to the users when their web request is blocked. You can edit the content of the block pages to be relevant to the needs of your organization. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Click the feature policy name, for example Limited, or Permissive. The Policy Details pane is displayed. 32 McAfee Web Gateway Cloud Service Product Guide

33 Policy management Working with rules and feature policies 2 3 Click the menu icon beside the currently selected block page and select Edit Block Page from the pop-up menu. You can switch between the default plain text view of your block page message, or you can view the underlying HTML code. To move between these views, click the source edit icon. To view the block page editor at the full size of your browser window, click the maximize/ minimize icon. 4 Using the provided tools, edit the block page. You can edit the name of the block page, and change the content and formatting of the message. Use tokens in the block page to reflect information about the web requests that trigger the blocking action and the block message. Table 2-7 Available tokens for use in block pages Token {URL} {REASON} {IP} {RULE} {URL_CATEGORIES} {URL_REPUTATION} {MEDIA_TYPE} Description The requested URL. A combination of the reason for the block action and the specifics of the reason. The IP address of the client system. The name of the current rule. A list of categories that the requested URL matches. The reputation score for the requested URL. The Media Type classification for the requested file. {MALWARE_PROBABILITY} The probability that the file is malicious. {MALWARE} {APPLICATION} {USERNAME} {PROXYNAME} Information about the detected malware The name of the web application. Information about the user that made the web request. Details of the proxy used (if applicable). Each block page has a maximum content limit of 1 MB. 5 Click Save. You can save empty block pages. Select a different block page Block pages provide information to your users about web requests blocked by your configured rules and policies. Select suitable block pages for each feature policy. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 Click the feature policy name, for example Limited, or Permissive. The Policy Details pane is displayed. 3 In the Policy Details pane, click the Block Page edit icon. The Block Page Catalog appears, showing the available block pages. McAfee Web Gateway Cloud Service Product Guide 33

34 2 Policy management View audit logs 4 Click the add icon for the required block page. Best practice: Use the Search field to filter the items available for selection. To empty the Search field, click the remove icon. 5 Click Save to keep your changes. Change Policy Assignment Each feature can have only one active feature policy applied to it at a time. Use this task to change the feature policy assigned to a feature. Before you begin Ensure that the feature has at least two feature policies configured. 1 From the McAfee epo Cloud menu, select Policy Web, Cloud Data Policy. 2 To view the available policies, select the relevant key feature area, and click the policy drop-down arrow. By default, the currently activated policy is selected. 3 Select the required policy from the list. The key feature header bar expands, displaying the Activate Policy button. 4 Click Activate Policy. The Change Policy confirmation dialog box is displayed. 5 Click Yes to confirm that you want to change your active policy for the selected key feature. The Policy Assignment changes to the newly selected feature policy. View audit logs Details of the changes made to your policies are logged on the McAfee epo Cloud Audit Log page. Each time a policy or rule is created, changed or deleted, or when rules are reordered, details of the changes are included in the McAfee epo Cloud Audit Log. 1 From the McAfee epo Cloud menu, click User Management Audit Log. The Audit Log is displayed. 34 McAfee Web Gateway Cloud Service Product Guide

35 Policy management Error conditions 2 2 To find specific entries, select the required time period from the Preset drop-down list, or use the Quick find field. Click Apply. Quick find searches through the User Name, Priority, Action, and Details fields. s Details of the changes to policies and rules are shown for the selected parameters. These details include the ID for each entry, and the hierarchy of the object or rule. Export the audit logs on page 35 You can export the information contained in your audit logs for analysis outside of McAfee epo Cloud. Export the audit logs You can export the information contained in your audit logs for analysis outside of McAfee epo Cloud. Before you begin Ensure that you are viewing the audit logs from User Management Audit Log in McAfee epo Cloud. 1 Search for the specific entries of interest by selecting the required time period from the Preset drop-down list, or using the Quick find field. Click Apply. 2 Click the Actions drop-down button, and select Export Table. 3 Define the configuration information for the exported information. Option Description Compress files File format To export all files in one.zip file, select this option. Select the format for the exported information. If you select PDF output, define the page size and the page orientation. You can also include information about your selected filtering criteria, and add a cover page to the PDF report. What to do with exported files Enter the Recipients details, the Subject, and other information as required for the message Body. 4 Click Export to send the audit logs using your selected criteria. Error conditions When working with products that include interactions with web servers, some potential error conditions can occur. These error conditions can also be caused by multiple administrators making concurrent changes to policies. These error conditions typically fall into one of the following categories: McAfee Web Gateway Cloud Service Product Guide 35

36 2 Policy management Error conditions Data errors Network connection errors Saving errors Data errors Data errors occur when data is unavailable or cannot be found. Typical reasons for these data errors are: The requested data has been deleted or cannot be found. A server-side error occurred while processing the data request. If a data error occurs, you are presented with an error message telling you the data is unavailable. This message provides you with a Reload button to attempt to reload the data. If the data is still not available, you are informed that the retry was unsuccessful. If the requested data was previously deleted, the error message gives information about the deleted data. Network connection errors As with many web services, there is potential for communication errors between the system you are using, and the web server and database hosting the services. Often, network communication errors are short-lived, and the service automatically reconnects when the communication is restored. When experiencing connection errors, you are presented with the option to manually retry the connection. If you navigate away from the current page before network connections are re-established, you lose any unsaved changes. Saving errors Saving errors occur when an administrator clicks Save, but the save is unsuccessful. Reasons for a save being unsuccessful include: A general error occurs where the server was busy or overloaded. Somebody else deleted the rule before you attempted to save it. An object within the rule being saved no longer exists. 36 McAfee Web Gateway Cloud Service Product Guide

37 3 Authentication 3 McAfee WGCS applies your web security policy to web requests from end users after they are authenticated. Contents Authentication and policy decisions How McAfee WGCS implements the authentication options How the authentication process works IP range authentication SAML authentication IPsec site-to-site authentication Authentication and policy decisions McAfee WGCS makes policy decisions based on the information returned by each authentication option. Client Proxy authentication This option is available when Client Proxy is installed on end-user computers running Windows or Mac OS X and integrated with McAfee WGCS. Client Proxy returns your organization's ID and the names of any groups to which the end user belongs to McAfee WGCS. McAfee WGCS makes policy decisions based on group membership. IP range authentication Select this option when you want McAfee WGCS to authenticate end users based on their IP addresses. McAfee WGCS makes policy decisions based on the IP address ranges configured for your organization. SAML authentication Select this option when you want to specify the identity provider that authenticates end users in your organization. Authentication can be by any method. For example, users can be authenticated by an on-premise Active Directory service, Facebook, or Google. The authentication result and identity information are returned to McAfee WGCS in SAML assertions that contain attribute name-value pairs. McAfee WGCS makes policy decisions based on the group ID attribute value in the SAML assertions. IPsec site-to-site authentication Select this option when you want to secure communications between your network and McAfee WGCS using an IPsec VPN tunnel. McAfee WGCS makes policy decisions based on the customer ID associated with the source IP address of the IPsec communications it receives and a pre-shared key. How McAfee WGCS implements the authentication options Implementation depends on the authentication option. The authentication options are: McAfee Web Gateway Cloud Service Product Guide 37

38 3 Authentication How the authentication process works Client Proxy Client Proxy software installed on the endpoint adds headers to each HTTP or HTTPS request. The headers are encrypted using the shared secret. McAfee WGCS detects the headers, decrypts them using the shared secret, and identifies the end user. Configure Client Proxy authentication in the Policy Catalog in the McAfee epo or McAfee epo Cloud management console. Configuration is not required in the Web Protection interface. IP range McAfee WGCS checks whether the source IP address in the TCP packet that it receives is included in the IP address ranges that the customer configured as safe. If the address is included, McAfee WGCS authorizes the request. SAML The SAML option uses cookie authentication. The cookie contains user and group names. If no cookie is present in the request, McAfee WGCS redirects the request to the identity service configured for the domain name in the address entered by the end user. The identity service authenticates the user and redirects the request back to McAfee WGCS with the cookie. McAfee WGCS evaluates the cookie and extracts the user's identity. IPsec site-to-site IPsec site-to-site is a transport protocol rather than an authentication method. McAfee WGCS authenticates the IPsec VPN tunnel and the customer, but not the end user. If you add Client Proxy or SAML authentication to IPsec site-to-site, McAfee WGCS can use these methods to authenticate requests that are received through the VPN tunnel. How the authentication process works How McAfee WGCS processes web requests and performs authentication depends on several factors, including the port number where the request is received and whether IPsec site-to-site is configured. Client Proxy authentication McAfee WGCS checks for and performs Client Proxy authentication before any other authentication method. This is true when IPsec site-to-site authentication is configured and when it is not. You can combine the user authentication provided by Client Proxy with the security provided by IPsec site-to-site. To add Client Proxy authentication to IPsec site-to-site, verify that Client Proxy is configured to use port 80 when redirecting traffic to McAfee WGCS. SAML authentication Port 8084 is reserved for SAML authentication. If SAML and IPsec site-to-site authentication are configured, you can add the SAML configuration to each IPsec location. Authentication process without IPsec site-to-site configured When IPsec site-to-site is not configured, McAfee WGCS processes web requests according to the number of the port where they are received. Ports 80, 8080, 8081 McAfee WGCS processes web requests received on these ports as follows: 1 Client Proxy McAfee WGCS first checks for Client Proxy headers in the web request. If they are present, Client Proxy authentication is performed. 2 IP range If the web request does not contain Client Proxy headers, McAfee WGCS then checks whether the source IP address is included in the IP address ranges that the customer configured as safe. If the source IP address is included, McAfee WGCS authorizes the request. 3 If neither Client Proxy nor IP range authentication is performed, the web request is not authorized. Port 8084 SAML authentication is performed on all web requests received on port McAfee Web Gateway Cloud Service Product Guide

39 Authentication IP range authentication 3 Authentication process using IPsec site-to-site When IPsec site-to-site is configured, McAfee WGCS processes web requests received through the IPsec VPN tunnel as follows. 1 Client Proxy McAfee WGCS first checks for Client Proxy headers in the web request. If they are present, Client Proxy authentication is performed. 2 SAML If the web request does not contain Client Proxy headers, McAfee WGCS then checks whether a SAML configuration is associated with the IPsec configuration. If the association exists, SAML authentication is performed. 3 If neither Client Proxy nor SAML authentication is performed, the customer is authenticated, but the end user is not identified. IP range authentication You configure ranges of IP addresses that are considered safe in the management console. Then, McAfee WGCS authenticates users who send web requests from these addresses. In the IP range authentication user interface, you can: Enable or disable IP range authentication. Configure IP address ranges. Import a list of IP address ranges. Export a list of IP address ranges. Enable or disable IP range authentication You can enable or disable IP range authentication as needed. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 To enable IP range authentication, select the IP Range Authentication checkbox. To disable IP range authentication, deselect the checkbox. 4 Click Save. Configuring IP range authentication You configure ranges of IP addresses using Classless Inter-Domain Routing (CIDR) notation. CIDR notation specifies: A routing prefix to a network An IP address or range on the specified network CIDR syntax consists of an IPv4 or IPv6 address followed by a forward slash and a decimal number. The decimal number specifies the number of bits in the routing prefix and is called the network size in bits. IPv4 networks are allowed to range in size from 24 bits to 32 bits. A 24-bit IPv4 network consists of 256 addresses. IPv6 networks are allowed to range in size from 120 bits to 128 bits. A 120-bit IPv6 network consists of 256 addresses. McAfee Web Gateway Cloud Service Product Guide 39

40 3 Authentication IP range authentication Protocol Network size (bits) CIDR notation (example) Specified IP address range IPv /24 From to IPv :db8:1234:0:0:0:0:ff00/120 From 2001:db8:1234:0:0:0:0:ff00 to 2001:db8:1234:0:0:0:0:ffff Add an IP address range When configuring IP Range authentication, you can add an IP address or range to the IP Address Ranges list. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. The configuration field opens. 4 Using CIDR notation, enter an IPv4 or IPv6 address or range, then click Add. The entry is added to the IP Address Ranges list. 5 Continue adding IP addresses or ranges as needed, then click Save. Change an IP address range When configuring IP Range authentication, you can change an IP address or range in the IP Address Ranges list. To add an IP address or range instead of changing it, click the add (+) icon. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. The configuration field opens. 4 In the IP Address Ranges list, select the entry that you want to change. The entry is displayed in the configuration field. 5 Edit the entry, then click Done. The IP Address Ranges list is updated with the new entry. 6 Continue changing IP addresses or ranges as needed, then click Save. 40 McAfee Web Gateway Cloud Service Product Guide

41 Authentication IP range authentication 3 Delete an IP address range When configuring IP Range authentication, you can delete an IP address or range from the IP Address Ranges list. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Configure IP Range. 4 To delete an IP address or range, click the delete (x) icon to the right of the range. 5 Click Save. Import a list of IP address ranges You can replace the IP Address Ranges list with a list that you import from a.csv file. Before you begin Review these considerations before importing a list of IP address ranges from a.csv file: The file contains one IP address or range per line. The first line in the file can contain a header. If so, select the This file contains a header row checkbox when you import the file. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. 3 From the IP Address Ranges menu, select Import IP Range List. The Import List dialog box opens. 4 Browse to the.csv file with the list of IP addresses and ranges that you want to import, then click Import. The Import Status dialog box opens. 5 To confirm the import, click Replace. The values in the IP Address Ranges list are replaced by the values in the.csv file. 6 Click Save. Export a list of IP address ranges You can save the IP Address Ranges list to a.csv file for backup, for editing, or for import later. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select IP Range. The Details pane opens on the right. McAfee Web Gateway Cloud Service Product Guide 41

42 3 Authentication SAML authentication 3 From the IP Address Ranges menu, select Export IP Range List. The Opening IP_range_list_null.csv dialog box opens. 4 Select Save File, then click OK. 5 Specify a file name and location, then click Save. SAML authentication Using SAML 2.0 authentication, McAfee WGCS supports organizations that want to use their own identity service to authenticate end users. In addition to the end user, the SAML specification defines these roles: Identity provider Authenticates the end user and provides assertions attesting to the user's identity. The identity provider is any identity service that your organization specifies. Service provider Decides whether to provide the service requested by the end user based on the identity information received from the identity provider. The end user is requesting access to a web resource. As the service provider, McAfee WGCS forwards the user's request to the cloud with the identity information or blocks the request. The identity provider and service provider communicate using a request-response protocol: SAML request The service provider sends a request for authentication to the identity provider. SAML response The identity provider sends a response with one or more SAML assertions about the end user to the service provider. Benefits of SAML authentication SAML authentication provides these benefits. SAML authentication: Supports any identity provider and authentication method, as long as the authentication request, response, and result are exchanged using the SAML 2.0 protocol. Eliminates passwords from the exchange of information between the SAML parties. McAfee WGCS does not require a password from the end user. Instead, the identity provider shares all authentication and identity information in the form of SAML assertions. SAML authentication high-level steps Before applying your organization's web policy to the end user, McAfee WGCS requires the user identity and group information provided by the SAML authentication process. The SAML authentication process consists of these high-level steps. 42 McAfee Web Gateway Cloud Service Product Guide

43 Authentication SAML authentication 3 1 The end user requests access to a web resource. The request includes the URL of the resource, but no identifying information about the user or the user's organization. 2 McAfee WGCS receives the request and returns a block page, prompting the user for an address. 3 The user returns an address. 4 McAfee WGCS looks up the domain name, which is part of the end user's address, in the list of configured domains. If the domain name exists, the cloud service initiates SAML authentication by redirecting the SAML request in a cookie through the user's browser to the identity provider configured for that domain. The SAML request includes these values: Entity ID Identifies McAfee WGCS as the issuer of the SAML request. This value is assigned by your organization. Service provider URL Specifies the URL that McAfee WGCS uses for SAML communication. This URL has a constant value: 5 To validate the SAML request, the identity provider looks up the entity ID and service provider URL. If they are configured, the identity provider authenticates the end user, then redirects the SAML response in a cookie through the user's browser to McAfee WGCS. The response contains SAML assertions attesting to the user's identity and providing information about the user and the user's groups. McAfee Web Gateway Cloud Service Product Guide 43

44 3 Authentication SAML authentication The SAML response includes these values: Entity ID Identifies the identity provider as the issuer of the SAML response. This value is assigned by your organization. Identity Provider URL Specifies the URL of the identity provider service. This value is provided by your organization. 6 To validate the SAML response, McAfee WGCS looks up the entity ID and identity provider URL. If they are configured and the user is authenticated, McAfee WGCS applies your organization's web policy to the end user and allows or blocks access to the requested web resource. SAML configuration overview SAML authentication requires configuration in your identity provider, on the client computers in your organization, and in the management console. Configuration in your identity provider For SAML communication with McAfee WGCS, configure your identity provider to use this URL: Because the cloud service consumes SAML assertions sent by the identity provider, this setting is known as the Assertion Consumer Service (ACS) URL. Several SAML settings are configured in the management console and in your identity provider. For SAML authentication to succeed, these settings must match exactly. Configuration in the client browsers For SAML authentication using McAfee WGCS, configure the client browsers in your organization to send web requests to port 8084, as follows: c<customer_id>.saasprotection.com:8084 Configuration in the management console Configuring SAML authentication in the management console includes these overall tasks: Authentication Settings user interface Configure the SAML authentication settings. Policy Management user interface Configure SSL scanning. Considerations when configuring SAML authentication Before configuring SAML authentication, review these considerations. Setting up SSL scanning SSL scanning is required for SAML authentication. Enabling SAML authentication automatically enables SSL scanning, which you configure in the Policy Management user interface. To set up SSL scanning: 1 Configure an SSL scanner policy. 2 Download the SSL certificate bundle. 3 Install the SSL certificates on the browsers and operating systems running on the client computers in your organization. For more information about SSL scanning, see the Policy management chapter. 44 McAfee Web Gateway Cloud Service Product Guide

45 Authentication SAML authentication 3 Whitelisting the identity provider URL When configuring McAfee WGCS as the proxy server using a PAC file or other proxy configuration method, whitelist the identity provider URL. Failing to take this step can cause SAML communications between the end user and the cloud service to enter an infinite loop. Configuring SAML in the management console In the SAML authentication user interface, you can configure SAML authentication and enable or disable the configuration. s Enable or disable SAML authentication on page 45 You can enable or disable SAML authentication as needed. Configure SAML authentication on page 45 After configuring SAML authentication, you can use your own identity provider and share authentication and identity information with McAfee WGCS in the form of SAML assertions. Enable or disable SAML authentication You can enable or disable SAML authentication as needed. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select SAML. The Details pane opens on the right. 3 To enable editing, click the pencil icon, then select an option: To enable SAML authentication Select the Enable SAML Authentication checkbox. To disable SAML authentication Deselect the Enable SAML Authentication checkbox. 4 Click Save. Configure SAML authentication After configuring SAML authentication, you can use your own identity provider and share authentication and identity information with McAfee WGCS in the form of SAML assertions. Before you begin To configure SAML authentication, you need the following information: Names of one or more domains that identify your organization URL of your identity provider Entity ID assigned to McAfee WGCS by your organization Entity ID assigned to your identity provider by your organization Name of attribute that uniquely identifies end users Name of attribute that lists group memberships McAfee Web Gateway Cloud Service Product Guide 45

3 Authentication SAML authentication Names of groups in your organization Certificate for verifying signed SAML responses and assertions Several SAML settings are configured in the management console

2 From the Authentication Settings drop-down list, select SAML. The Details pane opens on the right.

46 3 Authentication SAML authentication Names of groups in your organization Certificate for verifying signed SAML responses and assertions Several SAML settings are configured in the management console and in your identity provider. For SAML authentication to succeed, these settings must match exactly. 1 From the management console menu, select Web Protection Authentication Settings. 2 From the Authentication Settings drop-down list, select SAML. The Details pane opens on the right. 3 To enable editing, click the pencil icon, then configure the domains, SAML request, and SAML response fields and settings. 4 To provide a certificate, click the pencil icon. The Edit Certificate dialog box opens. 5 Download the certificate file from your identity provider service and open the file in a text editor. Copy the contents of the file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste the contents in the dialog box, then click Save. The dialog box closes and the certificate is saved. 6 Click Save. SAML authentication is configured and saved. SAML authentication settings To configure SAML authentication, provide values for these settings. Table 3-1 SAML authentication settings Option Enable SAML Authentication Domain(s) Definition When selected, enables SAML authentication. Specifies a list of domain names (one per line). McAfee WGCS uses these values to identify your organization. McAfee WGCS looks up the domain name, which is part of the end user's address, in the list of configured domains. If the domain name exists, the cloud service initiates SAML authentication by redirecting the SAML request in a cookie through the user's browser to the identity provider configured for that domain. Request McAfee WGCS uses these settings when sending SAML requests to the identity provider. Entity ID Uniquely identifies the service provider issuing the SAML request. Example: McAfeeWGCS The identity provider uses the entity ID to identify SAML requests sent by McAfee WGCS. You also specify this setting when configuring SAML authentication in the identity provider service. The value that you specify in the identity provider must exactly match the value that you specify in the management console. 46 McAfee Web Gateway Cloud Service Product Guide

Product Guide. McAfee Web Gateway Cloud Service

Product Guide. McAfee Web Gateway Cloud Service Product Guide McAfee Web Gateway Cloud Service COPYRIGHT Copyright 2017 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee